DRIVERS-3239: Add exponential backoff to operation retry loop for server overloaded errors

[baileympearson]

DRIVERS-3239

Overview

This PR adds support for a new class of errors (SystemOverloadedError) to drivers' operation retry logic, as outlined in the design document.

Additionally, it includes a new argument to the MongoDB handshake (also defined in the design document).

Python will be second implementer.
Node implementation: mongodb/node-mongodb-native#4806

Testing

The testing strategy is two-fold:

• Building off of Ezra's work to generate unified tests for retryable handshake errors, this PR generates unified tests to confirm that:

  • operations are retried using the new SystemOverloadedError label
  • operations are retried no more than 5 (current MAX_ATTEMPTS, as defined in the spec) times

• Following Iris's work in DRIVERS-1934: withTransaction API retries too frequently #1851, this PR adds a prose test that ensures drivers apply exponential backoff in the retryability loop.

• Update changelog.

• Test changes in at least one language driver.

• Test these changes against all server versions and topologies (including standalone, replica set, and sharded
  clusters).

[blink1073]

It looks like you also need to bump the schema version:

source/client-backpressure/tests/backpressure-retry-loop.yml invalid
[
  {
    instancePath: '/tests/0/operations/3/expectError',
    schemaPath: '#/definitions/expectedError/type',
    keyword: 'type',
    params: { type: 'object' },
    message: 'must be object'
  }
]
 using schema v1.3
source/client-backpressure/tests/backpressure-retry-max-attempts.yml invalid
[
  {
    instancePath: '/tests/0/operations/1/expectError',
    schemaPath: '#/definitions/expectedError/type',
    keyword: 'type',
    params: { type: 'object' },
    message: 'must be object'
  }
]
 using schema v1.3source/client-backpressure/tests/backpressure-retry-loop.yml invalid
[
  {
    instancePath: '/tests/0/operations/3/expectError',
    schemaPath: '#/definitions/expectedError/type',
    keyword: 'type',
    params: { type: 'object' },
    message: 'must be object'
  }
]
 using schema v1.3
source/client-backpressure/tests/backpressure-retry-max-attempts.yml invalid
[
  {
    instancePath: '/tests/0/operations/1/expectError',
    schemaPath: '#/definitions/expectedError/type',
    keyword: 'type',
    params: { type: 'object' },
    message: 'must be object'
  }
]
 using schema v1.3

[blink1073]

WIP Python implementation: mongodb/mongo-python-driver#2635

[blink1073]

All unified and prose tests are passing in the Python implementation.

Edit: we're still failing one unified test, "client.clientBulkWrite retries using operation loop", investigating...

Edit 2: we're all good now

[jyemin]

I only reviewed the specification changes, not the pseudocode or tests. Those are best reviewed by implementers.

[jyemin]

Suggested change

	to according to the following formula: `delayMS = j * min(maxBackoff, baseBackoff * 2^i)`
	to the following formula: `delayMS = j * min(maxBackoff, baseBackoff * 2^i)`

[baileympearson]

done

[jyemin]

Since the rules include all the deposits into the token bucket, consider adding withdrawals as well.

[baileympearson]

done

[jyemin]

Anything to add here, or just remove?

[baileympearson]

Nothing yet .. I'll remove it for now. It can always be added back if there are items worth mentioning here.

[jyemin]

Not sure how we handle the date... Is there an automation for this?

[baileympearson]

Not that I know of. Usually the spec author fills it out before merging

I'll just leave this thread open to remind myself to add changelog dates before merging once all changes are completed.

[Jibola]

Thoughts:
Could this stick to being javascript from top-to-bottom?
Can we also do BIG_TIME - SMALL_TIME >= 2.1?

• To me that's more human-readable.
• It maintains that BIG_TIME must always be bigger (removing the need for absolute_value).
• It captures the 1 second variation whilst still being rigid to the 3.1 second window and stays minimally invasive.

[baileympearson]

For sure. This phrasing was taken from the withTransaction backoff tests. Would you want me to update it there as well?

[baileympearson]

@Jibola Anything remaining here?

[Jibola]

Per the concerns for golang, I thought updating these values by a scalar of 10 in those cases was fine?
cc: @matthewdale

[baileympearson]

I think the outcome was the opposite: https://docs.google.com/document/d/1teqNgeWbW6dpRQOALrJTEBRoO6sYcrpq9T3_NJE0QfU/edit?disco=AAABtSVfUxI

[Jibola]

Suggested change

	##### Implementation notes
	#### Implementation notes

[baileympearson]

submitting comments

[baileympearson]

Nothing yet .. I'll remove it for now. It can always be added back if there are items worth mentioning here.

[baileympearson]

For sure. This phrasing was taken from the withTransaction backoff tests. Would you want me to update it there as well?

[baileympearson]

Do you have an alternative definition you think makes more sense here?

[baileympearson]

It's intended as a TODO, yeah.

If I understand correctly: you're saying new specs generally just leave the changelog empty? That's fine with me as well if that's the usual practice with new specs and test readmes.

[baileympearson]

Currently (before back pressure), there seem to be no reason for a driver to inspect the server response to a command run via runCommand (unless we are talking about runCursorCommand, which I am not).

I thought that all drivers inspected the response to throw an exception if the response includes: ok: 0. Is this not the case in Java?

--

runCommand is mentioned here as if the overload retry policy is trivially applicable to it, but I am not sure that's the case
and
Retrying runCommand requires changing its implementation such that it uses whatever internal retry mechanisms a driver has.

I don't think the assumption is that it is trivial for drivers to implement for all commands, because we're explicitly adding support for commands that previously were not retryable in addition to runCommand (ex: getMore). Debating whether or not it is trivial to implement misses the point imo: this is a new feature that drivers are building, so it is understood that it requires code changes to implement.

r.e. including runCommand in this project: I'm going to keep it for now, unless there's a strong technical argument against including it. I don't think we can say that drivers handle backpressure if there is a user-facing API that doesn't include the backpressure retry logic.

[vbabanin]

There appears to be a potential inconsistency between the prose specification and the pseudocode regarding server deprioritization.

Step 7:

"If the request is eligible for retry (as outlined in step 4), the client MUST add the previously used server's address to the list of deprioritized server addresses"

Step 4 requires both SystemOverloadedError and RetryableError labels.

However, the pseudocode uses deprioritized_servers.append(server.address) unconditionally - which deprioritizes the server for all retries, including traditional retryable reads and retryable writes.

If the pseudocode in this specification is intended to show the unified retry behavior combining both the new overload retry policy and existing retryable reads/writes logic (as stated in retryable-writes.md:341-346), then we should note that the existing specifications (retryable-writes/reads) restrict server deprioritization to sharded clusters only.

Line 325-326 in retryable-writes.md:

"In a sharded cluster, the server on which the operation failed MUST be provided to the server selection mechanism as a deprioritized server."

My reading is that the unified behavior should:

1. Deprioritize the server when the error has both SystemOverloadedError and RetryableError labels (matching Step 7), and
2. Continue to deprioritize only mongos in sharded clusters for existing retryable reads/writes behavior.

Could you confirm if this understanding is correct?

[baileympearson]

No, that is incorrect. All topologies and all retry mechanisms now always deprioritize servers: 3e577e8

@NoahStapp We missed a reference specifying that sharded clusters behavior in our last PR - would you mind opening a follow up that removes the sentence that Slav pointed out?

[NoahStapp]

That sentence was already fixed in the DRIVERS-3344 commit:

specifications/source/retryable-writes/retryable-writes.md

Lines 320 to 321 in 3e577e8

	For each retry attempt, drivers MUST select a writable server. The server address on which the operation failed MUST be
	provided to the server selection mechanism as a member of the deprioritized server address list.

I'd use the latest commit of master as a reference instead of Bailey's fork.

[baileympearson]

@vbabanin Anything else in this thread or can we resolve it?

[vbabanin]

retryable-writes.md:341-346 states:

"[!NOTE]
The rules above and the pseudocode below only demonstrate the rules for retryable writes... the pseudocode was intentionally unmodified. For a pseudocode block that contains both retryable writes logic as defined in this specification and backoff retryabilitity as defined in the client backpressure specification, see the pseudocode in the Backpressure Specification."

So retryable-writes tells readers go to the backpressure spec for the unified pseudocode.

However, client-backpressure.md does not seem to say it's providing a unified pseudocode. It just:

1. Says it's "separate from" existing behavior
2. Says the pseudocode shows "overload retry policy", which reads as if it only describes the overload retry policy.

If the intent is for client-backpressure.md pseudo-code to present the unified pseudocode, I’d suggest making that explicit in the text and adding links back to the relevant specs, similar to retryable-writes.md:341-346. What do you think?

[baileympearson]

The pseudocode in the client backpressure specification is unified - it handles both existing retryable reads/writes, and the new client backpressure retryability. It doesn't include all of the same detail as the pseudocodes in each retryability spec though, but I intentionally omitted things like error handling for brevity.

ex:

            is_retryable = is_retryable_write() or is_retryable_read() or (exc.has_error_label("RetryableError") and exc.has_error_label("SystemOverloadedError"))

Is there something specific you feel is missing? I can add more detail to this pseudocode if there are things missing.

[baileympearson]

@vbabanin Just following up - any additional questions?

[matthewdale]

This wording is difficult to understand. Consider a clearer sentence:

Suggested change

	5. If a retry attempt is to be attempted, a token will be consumed from the token bucket.
	5. A retry attempt consumes 1 token from the token bucket.

[baileympearson]

Sure, done

[matthewdale]

This seems to directly contradict the assertions in the CSOT spec section Why don't drivers use backoff/jitter between retry attempts?.

1. Should we remove that section from the CSOT spec?
2. Is there a reason not to apply backoff+jitter to all retry attempts, not just those with the SystemOverloadedError label?

P.S. I realize both of these are arguably out of the scope of this change, mostly wanted to know if there are existing answers to these questions.

[baileympearson]

re 1. - I think the section is still accurate because we only apply backoff and jitter to a particular subset of errors (system overloaded errors). I could update the phrasing to mention the client backpressure specification if you'd like.
re 2. - Not that I can think of but I also don't know that it is necessary. Especially with Noah's server selection changes, because now there's no chance of selecting the same server again.

The exception would be really extreme server overload (what this feature addresses) or other extreme driver scenarios where requests to all nodes are failing, exhausting the deprioritized server list. The only such non-overload scenario I can think of is a complete network outage to all nodes but I don't think backoff and jitter would help much in this scenario at all.

[matthewdale]

Thanks for the responses! Consider this resolved.

[jmikola]

This spec should also get a changelog entry.

[blink1073]

Done

[baileympearson]

submitting comments

[baileympearson]

@Jibola Anything remaining here?

[baileympearson]

Sorry, missed this one. I like your suggestion - done.

[baileympearson]

done

[baileympearson]

done

[baileympearson]

@vbabanin Anything else in this thread or can we resolve it?

[baileympearson]

I removed this example implementation

[baileympearson]

I chose to leave it as-is; as the pseudocode is written in python and follows python conventions. Let me know if the clarified pseudocde works for you

[baileympearson]

fixed

[baileympearson]

I removed the changelog

[baileympearson]

I've reworked the prose to be explicit about what the command is.

[matthewdale]

Looks good! 👍

[sanych-sun]

Why we decided to have retry number start we 0? It makes the requirements confusing. Why don't we start with 1 and in fact we will have the same formula as for withTransaction:

delayMS = j * min(maxBackoff, baseBackoff * 2^(i-1))

With the only difference here we have 2 as the base for pow function, in convinientTransaction API we have 1.5

[sanych-sun]

Here is the formula from withTransaction:
jitter * min(BACKOFF_INITIAL * 1.5 ** (transactionAttempt - 1), BACKOFF_MAX)

Where transactionAttempt started with 0 and is being incremented AFTER the delay, but before executing the callback attempt. Which is also confusing... but in C# implementation we wait AFTER the attempt so it's more natural.